2.02.2011

Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage

New and important evidence found in the sophisticated “Stuxnet” malware targeting industrial control systems provides strong hints that the code was designed to sabotage nuclear plants, and that it employs a subtle sabotage strategy that involves briefly speeding up and slowing down physical machinery at a plant over a span of weeks.

The Stuxnet worm was discovered in June in Iran, and has infected more than 100,000 computer systems worldwide. SCADA systems, short for “supervisory control and data acquisition,” are control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment.

Researchers determined that Stuxnet was designed to intercept commands sent from the SCADA system to control a certain function at a facility, but until Symantec’s latest research, it was not known what function was being targeted for sabotage. Symantec still has not determined what specific facility or type of facility Stuxnet targeted, but the new information lends weight to speculation that Stuxnet was targeting the Bushehr or Natanz nuclear facilities in Iran as a means to sabotage Iran’s nascent nuclear program.

According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware, however, doesn’t sabotage just any frequency converter. Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

German researcher Ralph Langner was the first to suggest that the Bushehr nuclear power plant in Iran was the Stuxnet target. Frank Rieger, chief technology officer at Berlin security firm GSMK, believes it’s more likely that the target in Iran was a nuclear facility in Natanz. The Bushehr reactor is designed to develop non-weapons-grade atomic energy, while the Natanz facility, a centrifuge plant, is designed to enrich uranium and presents a greater risk for producing nuclear weapons.

Increase the frequency, and the motor increases in speed. If the number of drives from the Iranian firm exceeds the number from the Finnish firm, Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones, a different sequence is initiated.

Once Stuxnet determines it has infected the targeted system or systems, it begins intercepting commands to the frequency drives, altering their operation.“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Stuxnet was designed to hide itself from detection so that even if administrators at a targeted facility noticed that something in the facility’s process had changed, they wouldn’t be able to see Stuxnet on their system intercepting and altering commands.